yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1796077] Re: policy.json doesn't allow user to change password

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Gage Hugo <gagehugo@xxxxxxxxx>
Date: Thu, 04 Oct 2018 16:37:39 -0000
Reply-to: Bug 1796077 <1796077@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Users have their own self-service API[0] they can call to change their
own password.  This is separate from the update_user one, and is
currently not covered by any policy.  There are ways to enforce security
regulations (PCI-DSS) on users, which is more defined here[1].

[0] https://developer.openstack.org/api-ref/identity/v3/#change-password-for-user
[1] https://docs.openstack.org/keystone/pike/admin/identity-security-compliance.html

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1796077

Title:
  policy.json doesn't allow user to change password

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Currently in Keystone the default policy.v3cloudsample.json doesn't
  allow user to change its password.

  It's defined in:
  "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id"
  which make user (which is owner in policy.json) unable to change it own password.

  Not sure if this change is intended or not, but as a operator, I would
  like to allow users to change its password by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1796077/+subscriptions

References

[Bug 1796077] [NEW] policy.json doesn't allow user to change password
From: Ching Kuo, 2018-10-04